XAuth critiques

SitG Admin sysadmin at shadowsinthegarden.com
Mon Jun 7 20:13:05 UTC 2010


>You're mis-characterizing the arguments here -- please read my blog post.

Read it. Intent differs from effect. Breaking privacy to encourage 
browsers to fix it for you is provocative, whether meant to be so or 
not.

>That's fine, I'm just warning people that there's a larger echo 
>chamber effect beyond this one thread.

Thanks. I was only aware of xAuth to the extent that it has been 
mentioned on these (OpenID) lists.

>I disagree that XAuth, as a protocol that people can agree to start 
>using, is centralized.  The initial _implementation_ relies on a 
>central DNS name, but that is an accident of today's browser 
>limitations.  That's a huge difference from saying that it's 
>inherently centralized.

Agreed. I wasn't trying to say that it was *inherently* centralized, 
though this was my understanding of Eran's point originally; in my 
follow-up, I meant exactly what you said, that it starts this way 
(hence the "provoking browser vendors to fix it" bit).

-Shade


More information about the specs mailing list